lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200305011720.44136.arny@ats.s.bawue.de>
Date: Thu, 1 May 2003 17:20:44 +0200
From: Thilo Schulz <arny@....s.bawue.de>
To: bugtraq@...urityfocus.com, raptor@...iaservice.net
Subject: Re: OpenSSH/PAM timing attack allows remote users identification


On Wednesday, 30th April 2003 16:34 Marco Ivaldi wrote:
> During a pen-test we stumbled across a nasty bug in OpenSSH-portable with
> PAM support enabled (via the --with-pam configure script switch). This bug
> allows a remote attacker to identify valid users on vulnerable systems,
> through a simple timing attack. The vulnerability is easy to exploit and may
> have high severity, if combined with poor password policies and other
> security problems that allow local privilege escalation.

This is !!NOT!! a problem specific to openssh.
When I saw this topic come up I tried the same with proftpd, which also can 
use pam to establish the user's authentication.

here is an example with the simple ftp tool:
thilo@...lo thilo $ ftp www.someftphost.net
Connected to www.someftphost.net.
220 ProFTPD 1.2.5rc1 Server (Debian) [www.someftphost.net]
Name (www.someftphost.net:thilo): thilo
331 Password required for thilo.
Password:
[valid user account, but wrong password: 2seconds wait]
530 Login incorrect.
Login failed.
ftp>

same here, if this is an invalid user, there is no delay between the entering 
of the password and the 530 reply.
I tested the postfix smtp daemon, apache and ipopd pop3 daemon which have pam 
support, there this weakness is obviously not present, yet don't consider all 
daemons secure, there may still be many others out there that suffer from the 
same weakness.

 - Thilo Schulz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ